package preparedStatement;

import util.jdbc_utils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;


//存在SQL注入漏洞
public class SQL_injection_login {
    public static void main(String[] args) throws SQLException {

        //login("赵八","1233");  //正常登录

        //相当于 select * from `users` where `NAME` =''or'1=1' AND `PASSWORD` ='' or '1=1'
        login("'or'1=1","'or'1=1");

    }


    //登录业务
    public static void login(String username,String password) throws SQLException {

        //获得Connection数据库对象
        Connection connection = jdbc_utils.get_connection();
        //执行SQL对象
        Statement statement = connection.createStatement();

        ResultSet resultSet = statement.executeQuery("select * from `users` where `NAME` ='"+username+"' AND `PASSWORD` ='"+password+"'");

        while (resultSet.next()){
            System.out.println(resultSet.getObject("id"));
            System.out.println(resultSet.getObject("NAME"));
            System.out.println(resultSet.getObject("PASSWORD"));
            System.out.println(resultSet.getObject("email"));
            System.out.println(resultSet.getObject("birthday"));

            System.out.println("--------------------------------------------------------------");

        }




        //关闭close 释放连接
        jdbc_utils.release(connection,statement,null);


    }
}
